Friday, June 11, 2010

Securing IE for Alarm Response Procedures

I got a very thoughtful call the other day from David Stokes at Eli Lilly. Dave had found my Alarm Response Procedure video out on my YouTube channel. Eli Lilly is a big user of the DCA (Document Control and Archiving) module of Syncade and they had talked about going down the same sort of path, utilizing the kiosk mode of DCA for direct call up of effective documents right from DeltaV.

The potential roadblock they hit was a security risk. If you look at the IE window that the PDF appears in, you’ll notice the menu bar is present.

The risk is if someone were to click on the File menu, then click on Save As… - they could start dropping html files all over the DeltaV system. Just as critical is having the toolbar buttons or the address bar along the top.

Turns out there is a lot of chatter on the Internet on how to secure IE. I found registry hacks and even tweak programs. The easiest (and safest, IMHO) way to get rid of the menu bar is by making a Group Policy change.

Click on Start, then Run… and type gpedit.msc – drill in to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer. Then look for a Setting named “Turn on menu bar by default”. Double click on it and change it to Disabled. That gets rid of the menu bar.

You can get rid of toolbars by drilling down into the Toolbars and enabling some policies:

The address bar is trickier, it’s a registry change. Go figure. You need to go into:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions\

You’ll have to add a DWORD – NoNavBar with a value of 0x00000001.

This technique would be used to secure your operator stations and all assumes you’re logged into Windows as the administrator. There could be other scenarios depending on your exact setup. When all is said and done, your final IE window will look something like this:

No comments: